Tech Journal: Apps and Your Privacy

Path, if you didn’t already know, is a beautiful mobile app that lets you share photos, videos, your location and other interesting bits of your life with friends and family. You can integrate Path with your Twitter or Facebook account and use it to simultaneously post a picture or video across all your social networks.

Park Ji-Hwan/Agence France-Presse/Getty Images

Apple’s existing permission model isn’t very user-friendly and it’s hard to figure out what data an app has access to.

Path is free and is available for both iPhone and Android mobile phones. People seem to love the app, but last week Path found itself at the center of a controversy involving users’ data.

Path could be uploading your address book to its servers for a very obvious reason: to suggest new friends. Like Facebook or LinkedIn, it wants to tell you when an acquaintance joins the network. But the big problem was disclosure.

Path users were mostly unaware that their address books were being uploaded to a third-party server. The intentions of the company could be good – it’s hard to imagine Path selling your address book to spammers – but the fact it didn’t inform users wasn’t the right approach.

Under pressure, Path quickly deleted the stored address books, its co-founder Dave Morin issued an apology and the company released an updated version of the app that makes data-collection optional.

Path wasn’t the only iOS app that uploaded contacts data to “improve experience.” The Verge and Venture Beat analyzed the network traffic of several popular apps, and found that some of them upload your contact information. The Path controversy did have an effect and apps like Instagram and Foursquare now explicitly warn users before uploading your address book. That’s how things should have been at the first place.

Personally, I don’t have a problem sharing my address book with apps, as long as I know why they need that information and what they intend to do with it. Social networks like LinkedIn or Twitter need to know the email addresses of my existing friends to suggest connections, but if the app doesn’t involve any social features or if it is the creation of an unknown developer, I wouldn’t be willing to share my contacts data.

Microsoft’s online store in India was recently hacked and the login credentials of users were exposed. Such incidents can happen to small app developers as well and that’s the part that worries me most.

Nick Bilton covers another scenario where state officials could get hold of dissidents’ address books ”to figure out who they are in cahoots with.” Such information can lead to roundups and arrests, he says.

Unfortunately, Apple’s existing permission model isn’t very user-friendly and it’s hard to figure out what data an app has access to – you can only read the app’s privacy policy or believe what the app-developer is saying. Apple could take a cue from Facebook, which I think does a good job of telling users what parts of their profile an app can access.

Technically, it is possible for app developers to not upload your address books and still offer relevant friend suggestions. An email address can be represented as a unique string (or hash) that cannot be reverse-engineered. Apps can upload and store these hashes, instead of actual email addresses, on their servers and they can compare them to easily discover common connections across different address books. That would be a good approach.

About India Real Time

India Real Time offers analysis and insights into the broad range of developments in business, markets, the economy, politics, culture, sports, and entertainment that take place every single day in the world’s largest democracy. Regular posts from Wall Street Journal and Dow Jones Newswires reporters around the country provide a unique take on the main stories in the news, shed light on what else mattered and why, and give global readers a snapshot of what Indians have been talking about all week. You can contact the editors at indiarealtime(at)wsj(dot)com.